Stuff I have been thinking about. General Linux stuff, personal stuff, Arch Linux stuff.

Extend kernel PCR with cmdline

The kernel doesn't checksum the cmdline which would be practical when we are already doing the vmlinuz image


Rewrite efibootmgr in go with go-uefi and improve usability.


Move pacman DbPath to /usr.


Implement .d directory overrides to hooks. We want to consolidate the hooks from several packages.

Kernel module signing

Just generally; how do we solve this without getting tied to a MOK?

Archweb nvchecker integration

Consider nvchecker;

All repositories can have a .NVCHECKER file like below;

source = "github"
github = "golang/go"
prefix = "go"
use_max_tag = true
exclude_regex = ".*(release|weekly|rc|alpha|beta).*"

The top part would be $pkgbase and rest of the configuration follows the nvchecker documentation.

The implementaiton for archweb would be a timer running "python nvchecker" which iterates over all PKGBASEs archweb know about.

We'd look up the following url;

If this file exists we fetch the pkgname, pkgver and the .NVCHECKER file.

We run nvchecker (how this is done.. not sure!) on this and flag OOD if there is a change.


  • How do we deal with secrets? Do we want to deal with secrets?
  • Timer could be once pr day
  • Configurable?

Witness logs

  • monitor
  • lvfs monitor